OWASP ZAP Screenshots - University of PennsylvaniaQuestions and Solutions as screenshots : OWASP ZAP...
Transcript of OWASP ZAP Screenshots - University of PennsylvaniaQuestions and Solutions as screenshots : OWASP ZAP...
QuestionsandSolutionsasscreenshots:OWASPZAP
1. SettingZAPasanInterceptingproxyserver:Inoptionsmenuonhomepageofapplication,inlocalproxy,portnumbercanbechangedfortheproxy.
Innetworksettingofbrowser,proxyshouldbeenabled.
Inthehistorytab,alltherequests,responsescanbeseenwhenrequestsaremadethroughthebrowserthenandtheapplicationactsasaproxylisteningandrecordingalltherequests.Also,alertsandtagslikecookiescanbeseen.
Tocrawlawebsiteorlaunchactiveattacks,asamplewebapplicationwascreated.Thiswebapplicationrunsonjettyandisasimpleuserform
2. Crawlingyourwebapplication:Spideroptionisnowselectedafterrightclickingthewebapplication,whichcrawlsthewebsiteanddisplaysresults
Thesearetheresultsobtainedaftercrawling:
Optionsforcrawlinglikedepth,threadscanbesetupinoptionsmenu:
3. Activeattacksonwebapplicationtolookforunhandledalerts:Activescanwillscanthewebapplicationanddisplaypossiblealerts
Asexplainedintheslides,differentalertscanbecheckedinbottomleftcorner:
4. Fuzztestwebapplicationforaspecificparameter:SelectFuzztestingforyourwebapplication
Thenhighlighttheparameter,youwanttofuzzteston,likeinthebelowcaseitisusername,andselectaddpayload
Selectfilefuzzerandchoosedifferentfuzztestersavailable.Youcanchoosealltoperformextensivetestingorjustafewselectedpayloads
Youcanthenseetheresultsfordifferentpayloads.Requestsandresponsescanbeseen,anddifferentpayloadscanthusbetestedeasily.Reflectedstateindicatesthattheresponseincorrect,andthatpayloadishandledbytheapplication.